Digital Forensics Chapter 5
Master File Table (MFT)
NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files.
logical cluster numbers (LCNs)
Numbers the MFT uses to refer to a specific physical location on a disk partition. LCNs become the addresses that allow the MFT to read and write data to the disk's nonresident attribute area. See also virtual cluster number (VCN).
Master Boot Record (MBR)
On Windows and DOS computer systems, this boot disk file contains information about partitions on a disk and their locations, size, and other important items.
unallocated disk space
Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously.
partition
A logical drive on a disk. It can be the entire disk or part of the disk.
recovery certificate
A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.
head and cylinder skew
A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
Resilient File System (ReFS)
A new file system developed for Windows Server 2012. It allows increased scalability for disk storage and improved features for data recovery and error checking.
one-time passphrase
A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.
Encrypting File System (EFS)
A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.
wear-leveling
An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells.
public key
In encryption, the key used to encrypt a file; it's held by a certificate authority, such as a global registry, network server, or company such as VeriSign.
bootstrap process
Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
cylinder
A column of tracks on two or more disk platters.
sector
A section on a track, typically made up of 512 bytes.
data runs
Cluster addresses where files are stored on a drive's partition outside the MFT record. These are used for nonresident MFT file records.
tracks
Concentric circles on a disk platter where data is stored.
virtual machines
Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs.
attribute ID
In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.
metadata
In NTFS, this term refers to information stored in the MFT. See also Master File Table (MFT).
private key
In encryption, the key used to decrypt the file. The file owner keeps this key.
zone bit recording (ZBR)
The method most manufacturers use to deal with a platter's inner tracks being shorter than the outer tracks.
areal density
The number of bits per square inch of a disk platter.
File Allocation Table (FAT)
The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive.
track density
The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives allowed the heads to wander.
file slack
The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.
file system
The way files are stored on a disk; gives an OS a road map to data on a disk.
drive slack
Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments.
alternate data streams
Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, these become an additional file attribute.
virtual cluster number (VCN)
When a large file is saved in NTFS, it's assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the additional space needed to store the file. The LCN is a physical location on the NTFS partition; VCNs are the offset from the previous LCN data run. See also data runs and logical cluster numbers (LCNs)..
geometry
A disk drive's internal organization of platters, tracks, and sectors.
Registry
A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information.
clusters
Storage allocation units composed of groups of sectors. These are 512, 1024, 2048, or 4096 bytes each.
physical addresses
The actual sectors in which files are located. Sectors reside at the hardware and firmware level.
head
The device that reads and writes data to a drive.
NT File System (NTFS)
The file system Microsoft created to replace FAT. NTFS uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT.
RAM slack
The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. _____ ________ is found primarily in older Microsoft OSs.
partition gap
Unused space or void between the primary partition and the first logical partition.